DISA MS Windows Privileged Access Workstation v2r2

Audit Details

Name: DISA MS Windows Privileged Access Workstation v2r2

Updated: 6/22/2022

Authority: DISA STIG

Plugin: Windows

Revision: 1.0

Estimated Item Count: 37

File Details

Filename: DISA_STIG_MS_Windows_Privileged_Access_Workstation_v2r2.audit

Size: 84 kB

MD5: c89eee313cdd14dfe70ada13ef1e4abe
SHA256: 43ee9b7620d9e4fa9b6ffb0d52b81dafa60f7c8c1954a04d1c6b89657dcab435

Audit Items

DescriptionCategories
WPAW-00-000100 - Administrators of high-value IT resources must complete required training.

AWARENESS AND TRAINING, CONFIGURATION MANAGEMENT

WPAW-00-000200 - Site IT resources designated as high value by the Authorizing Official (AO) must be remotely managed only via a Windows privileged access workstation (PAW) - AO must be remotely managed only via PAW

CONFIGURATION MANAGEMENT

WPAW-00-000400 - Administrative accounts of all high-value IT resources must be assigned to a specific administrative tier in Active Directory to separate highly privileged administrative accounts from less privileged administrative accounts.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

WPAW-00-000500 - A Windows PAW must only be used to manage high-value IT resources assigned to the same tier.

CONFIGURATION MANAGEMENT

WPAW-00-000600 - All high-value IT resources must be assigned to a specific administrative tier to separate highly sensitive resources from less sensitive resources.

CONFIGURATION MANAGEMENT

WPAW-00-000700 - The Windows PAW must be configured with a vendor-supported version of Windows 10 and applicable security patches that are DoD approved - CurrentBuild

CONFIGURATION MANAGEMENT

WPAW-00-000700 - The Windows PAW must be configured with a vendor-supported version of Windows 10 and applicable security patches that are DoD approved - ProductName

CONFIGURATION MANAGEMENT

WPAW-00-000800 - A Windows update service must be available to provide software updates for the PAW platform - AUOptions

CONFIGURATION MANAGEMENT

WPAW-00-000800 - A Windows update service must be available to provide software updates for the PAW platform - ScheduledInstallDay

CONFIGURATION MANAGEMENT

WPAW-00-000800 - A Windows update service must be available to provide software updates for the PAW platform - ScheduledInstallTime

CONFIGURATION MANAGEMENT

WPAW-00-000800 - A Windows update service must be available to provide software updates for the PAW platform - WUServer

CONFIGURATION MANAGEMENT

WPAW-00-001000 - The Windows PAW must be configured so that all non-administrative-related applications and functions are blocked or removed from the PAW platform, including but not limited to email, Internet browsing, and line-of-business applications.

CONFIGURATION MANAGEMENT

WPAW-00-001050 - Device Guard Code Integrity Policy must be used on the Windows PAW to restrict applications that can run on the system (Device Guard Code Integrity Policy).

CONFIGURATION MANAGEMENT

WPAW-00-001060 - Device Guard Code Integrity Policy must be used on the Windows PAW to restrict applications that can run on the system (Device Guard User Mode Code Integrity).

CONFIGURATION MANAGEMENT

WPAW-00-001100 - Windows PAWs must be restricted to only allow groups used to manage high-value IT resources and members of the local Administrators group to log on locally.

CONFIGURATION MANAGEMENT

WPAW-00-001200 - The domain must be configured to restrict privileged administrator accounts from logging on to lower-tier hosts - Deny log on as a batch job

CONFIGURATION MANAGEMENT

WPAW-00-001200 - The domain must be configured to restrict privileged administrator accounts from logging on to lower-tier hosts - Deny log on as a service

CONFIGURATION MANAGEMENT

WPAW-00-001200 - The domain must be configured to restrict privileged administrator accounts from logging on to lower-tier hosts - Deny log on locally

CONFIGURATION MANAGEMENT

WPAW-00-001300 - A Windows PAW used to manage domain controllers and directory services must not be used to manage any other type of high-value IT resource.

SYSTEM AND COMMUNICATIONS PROTECTION

WPAW-00-001400 - PAWs used to manage Active Directory must only allow groups specifically designated to manage Active Directory, such as Enterprise and Domain Admins and members of the local Administrators group, to log on locally.

CONFIGURATION MANAGEMENT

WPAW-00-001500 - In a Windows PAW, administrator accounts used for maintaining the PAW must be separate from administrative accounts used to manage high-value IT resources.

SYSTEM AND COMMUNICATIONS PROTECTION

WPAW-00-001600 - The Windows PAW must be configured to enforce two-factor authentication and use Active Directory for authentication management.

IDENTIFICATION AND AUTHENTICATION

WPAW-00-001700 - The Windows PAW must use a trusted channel for all connections between a PAW and IT resources managed from the PAW.

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

WPAW-00-001800 - If several Windows PAWs are set up in virtual machines (VMs) on a host server, the host server must only contain PAW VMs.

CONFIGURATION MANAGEMENT

WPAW-00-002100 - The Windows PAW must be configured so that all inbound ports and services to a PAW are blocked except as needed for monitoring, scanning, and management tools or when the inbound communication is a response to an outbound connection request.

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

WPAW-00-002200 - The Windows PAW must be configured so that all outbound connections to the Internet from a PAW are blocked.

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

WPAW-00-002300 - The local Administrators group on the Windows PAW must only include groups with accounts specifically designated to administer the PAW.

CONFIGURATION MANAGEMENT

WPAW-00-002400 - Local privileged groups (excluding Administrators) on the Windows PAW must be restricted to include no members - Backup Operators

CONFIGURATION MANAGEMENT

WPAW-00-002400 - Local privileged groups (excluding Administrators) on the Windows PAW must be restricted to include no members - Cryptographic Operators

CONFIGURATION MANAGEMENT

WPAW-00-002400 - Local privileged groups (excluding Administrators) on the Windows PAW must be restricted to include no members - excluding Administrators must be restricted to include no members -Power Users

CONFIGURATION MANAGEMENT

WPAW-00-002400 - Local privileged groups (excluding Administrators) on the Windows PAW must be restricted to include no members - Hyper-V Administrators

CONFIGURATION MANAGEMENT

WPAW-00-002400 - Local privileged groups (excluding Administrators) on the Windows PAW must be restricted to include no members - Network Configuration Operators

CONFIGURATION MANAGEMENT

WPAW-00-002400 - Local privileged groups (excluding Administrators) on the Windows PAW must be restricted to include no members - Remote Desktop Users

CONFIGURATION MANAGEMENT

WPAW-00-002400 - Local privileged groups (excluding Administrators) on the Windows PAW must be restricted to include no members - Replicator

CONFIGURATION MANAGEMENT

WPAW-00-002500 - Restricted remote administration must be enabled for high-value systems - DisableRestrictedAdmin

CONFIGURATION MANAGEMENT

WPAW-00-002500 - Restricted remote administration must be enabled for high-value systems - RestrictedRemoteAdministration

CONFIGURATION MANAGEMENT

WPAW-00-002600 - If several PAWs are set up in virtual machines (VMs) on a host server, domain administrative accounts used to manage high-value IT resources must not have access to the VM host operating system (OS) (only domain administrative accounts designated to manage PAWs should be able to access the VM host OS).

CONFIGURATION MANAGEMENT